A bug in code used by Cloudflare, which provides security and performance services for millions of websites, caused private information, potentially including passwords and personal messages from many websites, to leak. Uber, OkCupid, 1Password, Fitbit, and, yes, JosephSteinberg.com all use Cloudflare. Because of the way the bug caused data to leak (essentially, Web requests to sites protected by Cloudflare occasionally received responses which included extra data), leaks from one site could have occurred when people accessed other sites.

This may sound alarming--and, in fact, many security professionals are telling people to change their passwords for all sites protected by Cloudflare--but I disagree. As I said after the Heartbleed vulnerability when others were calling for mass password changes, unless the impacted provider (in this case, Cloudflare) tells you to change passwords it may be best to do nothing.

Here is why:

1. Some Cloudflare-protected sites utilize security protections that make any Cloudflare-type leaks unusable. 1Password has already told its users that this is the case. Many other sites were likely not affected by the leak--something that Cloudflare may determine in the near future.

2. It is not clear that any criminals knew of the leak--or that anyone exploited it. That on its own is not a reason not to change passwords, but it does make this situation totally different than if a password list surfaced on the dark web. (In some ways, the Cloudflare situation versus a typical leak is like the difference between finding that you left your house key outside your house overnight--do you change all of your locks because a criminal may have found and copied it?--versus finding out with certainty that a criminal stole your house key.)

3. Most of the terrible password leaks that we have seen in recent years involve an entire password database being stolen, or a list appearing online. With millions of passwords listed in a single file, it is simple for criminals to abuse the information. The Cloudflare leak is entirely different. Data leaked from Cloudflare in a non-obvious way during online sessions, so the leaks would not have even been noticed by most users. And while the leak went on for many months, Cloudflare believes that, at its peak, only approximately 1 in every 3,300,000 HTTP requests through Cloudflare likely resulted in leakage (that would be ~0.00003% of requests). Plus, not all of that leakage was passwords -- in fact, it is likely that only a small percentage was -- meaning that to assemble a large cache of password information, a criminal who was aware of the leak would have had to make an extremely-large number of Web requests, which would likely have triggered suspicions (if not DDoS protections) at Cloudflare. This did not happen, making it reasonable to suspect that there was no such criminal. It is true that a criminal could have obtained some passwords without triggering suspicions--for example, by using a zombie network to send requests over time, or by sending a small number of requests to a large number of Cloudflare-protected sites, etc.--but the odds that one or more of your passwords was compromised in such a fashion are small.

4. Even if a criminal did manage to make an extraordinary number of requests and obtain data in many Web sessions, due to the way the bug actually caused the leaks to occur, odds are still good that a great number of passwords never leaked.

5. Cloudflare protects many sites. When people create many new passwords at one time they face serious limitations of human memory and are more likely than otherwise to write passwords down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured, is also a bad idea), or use passwords identical to, or similar to, one another on multiple sensitive sites (bad idea). Asking people to replace all of their passwords for sites protected by Cloudflare, therefore, raises the possibility of strong passwords (that were likely never compromised) being replaced with weak ones. Furthermore, because of password reuse, if a password was used on a Cloudflare site it would need to be replaced on all sites on which it was used--even those not protected by Cloudflare--so the number of passwords that some pros are asking people to reset could be quite high. (Of course, if you use a password manager that can replace all of your passwords at one time with random strings and not change the way you authenticate to it, go ahead and do so.)

6. Security professionals can only make limited demands on people--we cannot expect people to change passwords and create strong new ones on a frequent basis. Creating an exaggerated sense of urgency now will likely cause people not to change passwords down the road when a situation arises in which doing so is actually critical. I say this fully cognizant that there is risk now--but I believe that the current risk is much smaller than the price that would be paid in increased "cybersecurity fatigue," leading to much bigger problems in the future. Furthermore, I expect that within the next few days, owners of sites protected by Cloudflare will hear from the firm--and many will likely be told that they have little to worry about. If you tell people to change passwords and then they find out that there was no reason to do so, you increase the odds of being dismissed next time as the "Boy Who Cried Wolf."

One other interesting point: The entire leak resulted from a buffer overrun error that appears to have been caused by the use of an equal symbol (==) in code, rather than a greater-than or equal to (>=). Small mistakes in code can have large consequences, reinforcing the need for information-security involvement in software development throughout software's lifecycle.

Published on: Feb 24, 2017